net: s2io: fix buffer overflow
vpd_data[] is allocated as kmalloc(256, GFP_KERNEL), so if cnt = 255 then (cnt + 3) overflows 256. memset() is executed without checking. vpd_data[cnt+2] must be less than 256-cnt-2 as the latter is number of vpd_data[] elements to copy. Do not fill with zero the beginning of nic->serial_num as it will be filled with vpd_data[]. String in product_name[] should be terminated by '\0'. Signed-off-by: NKulikov Vasiliy <segooon@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Showing
想要评论请 注册 或 登录